Credit Union and NCUA – The National Credit Union Administration (NCUA) requires that all federal credit unions have a business continuity plan. No matter how big or small a credit union you are, make sure you are aware of the regulations used by the NCUA for audits. The NCUA uses key elements from the FFIEC IT Booklet as references when evaluating a business continuity plan:
Business Impact Analysis – The NCUA confirms that all business functions and processes are identified. If there is an interruption to these processes, how does it impact the Credit Union. With the processes prioritized and interdependencies identified, what are the legal and regulatory requirements for each.
Risk Assessment – In this step, identify the threats to your credit union and the potential impact of each. With a clear list of threats identified, prioritize them to determine which pose the biggest risks. Include the severity of their impact on the business and their likelihood of occurring.
The Plan – It’s not enough to download a free business continuity plan template then add your credit union’s name. The NCUA confirms particular elements that you need to be able to deliver. A plan review by both the board and senior management should take place annually. The plan also must be shared with all employees of the credit union. A particular focus should be made to the impact of various threats that could disrupt operations instead of specific events. While it is good to have a tornado plan, it is better to have a plan that addresses how to operate through the effects of a tornado. This may include when buildings and equipment are damaged, systems are not available, only a fraction of your people can report to work and/or third party suppliers are unable to serve you.
Testing your Plan – Yes, once you write your plan, your work is not complete. The NCUA looks for evidence that your plan is tested, at least annually. The test results must be compared against your BCP. This process identifies gaps in your plan. There needs to be evidence that the BCP has been updated based on these test results. Your testing program also must be reviewed by an independent third party.
Vendor Management – From telecommunications providers to secure cash delivery, credit unions rely heavily on third parties to support their operations. Vendor due diligence is a critical part of ensuring your business continuity plan will support you in recovery. The NCUA looks for evidence that you are ensuring your suppliers have regularly tested business continuity plans. For really critical services, such as telecommunications, they may want to see redundant service providers in place.
This is just a high level look at what the NCUA needs when they come to audit your business continuity preparations. For more information on these requirements be sure to review the FFIEC Testing booklet. If you need help ensuring your plan meets the NCUA’s requirements, KingsBridge is available to help through our plan writing and exercising services or through our Shield software, with a template customized for credit unions and a built in notification solution.
KingsBridgeBCP offers businesses of all sizes BCP Software Solutions and industry know how based on best practices. We help build, exercise, and maintain Business Continuity Plans. Our services and software packages are customized to meet the wide range of our customers’ needs, ensuring we deliver the best value in every project. To learn more click here or check out our Services.